OpenWrt

From Bitbull Wiki
Jump to navigation Jump to search

1 OpenWrt

1.1 OpenVPN

1.1.1 setup

opkg update
opkg install openvpn-openssl openvpn-easy-rsa
  • /etc/easy-rsa/vars
export KEY_COUNTRY="CH"
export KEY_PROVINCE="SG"
export KEY_CITY="St. Gall"
export KEY_ORG="Bitbull Tech"
export KEY_EMAIL="crn@bitbull.ch"
export KEY_OU="Office"
export KEY_NAME="work.bitbull.ch" 

cd /etc/easy-rsa/

source /etc/easy-rsa/keys
clean-all

pkitool --initca ## equivalent to the 'build-ca' script
pkitool --server fw3 ## equivalent to the 'build-key-server' script

build-dh ## and grab some coffee

cd $KEY_DIR
mkdir -p /etc/openvpn
cp ca.crt fw3.* dh2048.pem /etc/openvpn/

uci set network.vpn0=interface
uci set network.vpn0.ifname=tun0
uci set network.vpn0.proto=none
uci commit network; /etc/init.d/network reload

uci add firewall rule
uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].src=*
uci set firewall.@rule[-1].proto=udp
uci set firewall.@rule[-1].dest_port=1194

uci add firewall zone
uci set firewall.@zone[-1].name=vpn
uci set firewall.@zone[-1].input=ACCEPT
uci set firewall.@zone[-1].forward=ACCEPT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].network=vpn0

uci commit firewall
/etc/init.d/firewall reload
  • /etc/config/openvpn
config openvpn 'myvpn'
option enabled '1'
option dev 'tun'
option proto 'udp'
option log '/tmp/openvpn.log'
option verb '3'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/fw3.crt'
option key '/etc/openvpn/fw3.key'
option clr_verify '/etc/easy-rsa/keys/clr.pem'
option server '10.8.0.0 255.255.255.0'
option port '1194'
option keepalive '10 120'
option dh '/etc/openvpn/dh2048.pem'
option comp_lzo 'adaptive'
list push 'route 192.168.11.0 255.255.255.0'

/etc/init.d/openvpn start
sleep 3
ps -w | grep openvpn
ifconfig | grep tun0
netstat -an | grep 1194
cat /tmp/openvpn.log
  • /etc/easy-rsa/keys/client-ovpn-create.sh
#!/bin/sh
[ $# -ne 1 ] && exit 1
CONF=$1.ovpn
test -r $CONF && exit 1
echo "client
dev tun
proto udp
remote myvpn.bitbull.ch 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
<ca>
$(cat ca.crt)
</ca>
<cert>
$(cat $1.crt)
</cert>
<key>
$(cat $1.key)
</key>" > $PWD/$CONF

pkitool user1.bitbull.ch ## equivalent to the 'build-key' script
pkitool --pass user2.bitbull.ch ## protect client cert with password

sh client-ovpn-create.sh user1.bitbull.ch
sh client-ovpn-create.sh user2.bitbull.ch

ls -l *.ovpn

1.1.2 revoke client cert

cd /etc/easy-rsa
. vars
revoke-full user1.bitbull.ch
cp /etc/easy-rsa/keys/crl.pem /etc/openvpn/
grep crl /etc/config/openvpn
   option crl_verify '/etc/openvpn/crl.pem'

/etc/init.d/openvpn restart
Retrieved from "http://www.bitbull.ch/wiki/index.php?title=OpenWrt&oldid=4271"